I've written my own encryption method using AES in a project I've been working on lately using PyCrypto. I use a hash to generate a 32-byte password and feed that to AES-256bit encryption using CBC. The file input is padding using PKCS#7 padding to conform to be divisible by 16.
I can encrypt and decrypt the file without incident and the input file originally encrypted along with the output file have the same SHA-256 hash.
The only problem I'm finding is that if I supply the wrong passphrase, decryption still happens. This is a problem for what I'm doing, as I need to have decryption fail fast if the passphrase is wrong.
How can I make this happen? I've heard of other methods of AES encryption, but it seems that PyCrypto only supports ECB, CBC, CFB, OFB, CTR, and OpenPGP. How can I implement cryptographically strong AES which will fail decryption without the right passphrase?
There is nothing about AES (or any other encryption algorithm for that matter) that could allow you to know whether you have the correct key. That said, it's a very useful feature when you actually want to use cryptography outside of the realm of mathematics.
What you need to do is add a block with a known value at the start of your message, that way after decrypting the first block you can compare it against the known value and know whether you have the wrong key. If the data you're encrypting has a known header you could use this instead.
Alternatively you could send a cryptographic hash (for example SHA-256) of the key along with the message, an attacker would only be able to recover the key if they could break the hash.
The best way of making sure that your ciphertext won't decrypt when it has been changed is to add an authentication tag. An authentication tag is used to provide authentication and integrity of the ciphertext.
This tag may consist of a MAC (e.g. AES-CMAC or HMAC using SHA-256) over the ciphertext. This however requires a second key to be secure.
Another method is to use authenticated encryption such as GCM. GCM uses a single key and generates an authentication tag (the size can be configured).
Make sure you use a correctly generated IV. The IV could be prefixed to the ciphertext, and should be included when calculating the authentication tag), and don't forget that the size of your plain text may not be hidden.
You should verify the correctness of the tag before decryption of the ciphertext.
Note that in general, you should not encrypt passwords, unless you require access to the precise password at a later date. For verification of passwords, use PBKDF2 instead.
To provide the desired fail-fast property, you'll need to prepend a header to the data being enciphered. I suggest using a random "confounder" nonce (similar to a cryptographic salt) concatenated with a known constant "magic number"; the presence of a confounder will, much like a salt, provide a measure of defense against attacks based on precomputed tables.
With such a header present, you need only decipher the header and validate the magic number field; if it does not match the known constant, the key is no good. If it does match, discard the header and process the remainder of the input.